Client-side encryption in ThreeTags

This is a brief description of the data security architecture at www.threetags.com. If you have more questions or concerns, please feel free to post them at our News and support site.

User authentication

When a user registers with ThreeTags, he/she creates a username and a password. The password is never transmitted to the server; instead, it is combined with a unique 'salt' string and then encrypted in the browser using SHA-1 hashing algorithm. It is this 'password hash' that, with the username, is used to identify the user.

User data encryption

Encryption key

Upon successful user authentication, a 256-bit encryption key is created on the client using PBKDF2 key derivation technique. Because threetags.com server has access only to hashed passwords, and encryption keys are generated using passwords themselves (with unique salts), it is impossible for us to guess user encryption keys.

Encryption

All user data is then encrypted/decrypted in the browser using AES-256 encryption algorithm, and is transmitted over the Internet and stored on threetags.com servers in this encrypted state.

 

This is how a typical request looks like:

 

Why not just use SSL?

Many web sites use SSL as a mechanism to protect user data. However, this method is supposed to protect only the communication step of the puzzle (and often it is not doing the job well); user data is still accessible on the server side to read and interpret. ThreeTags is unique in that even with full access to user data on the server no one can see it unencrypted.

If you really want to use SSL, you can use this URL: https://threetags.appspot.com.

Performance issues

Data encryption is a CPU-heavy operation, and javascript, the language used by web browsers, was not designed with performance in mind. In our tests, all major browsers were able to encrypt/decrypt small notes quite promptly, with Mozilla Firefox and Google Chrome being the fastest.

Unfortunately, the most popular web browser, Microsoft Internet Explorer, is also the slowest in aspects that matter most to us. While Firefox and Chrome encrypt/decrypt a 100KB note in 3-10 seconds, depending on your computer configuration and load, Microsoft Internet Explorer can spend several minutes doing the same operation. Thus we recommend Mozilla Firefox or Google Chrome for better user experience.

Potential vulnerabilities

No information storage/management system is 100% secure. In any online communication, there are four general points of vulnerability: the client computer can be compromized, the server side (web site) can be breached or untrustworthy, and the medium used to transfer data (the Internet) is relatively easy for eavesdroppers to exploit. The fourth vulnerability point in the user him/herself: using pet names as passwords, and writing passwords on post-it notes for everyone to see, are venerable and sad traditions, for example.

ThreeTags is designed to make the communication step and the server side more secure. We also chose to use Google AppEngine as our infrastructure provider, as no other company has more to lose in case of an online security breach.

Security of the client computer is the responsibility of the user.